Most of my information security focus these past few years has concentrated on management and governance, but this was not always the case. I came into this profession as a technologist and manager who focused on team building, turn-arounds and doing a lot with few resources. But as my career moved from technology operations to security […]
Last week I presented a topic here at Halock’s blog site on the Hand Rule, also known as the “Calculus of Negligence.” The basic message of the post was that we can use information risk assessments to help us keep our security costs to a reasonable level, but only by describing how we would arrive […]
While presenting a talk at CAMP IT last week I got into a number of conversations with attendees about the Hand Rule. At HALOCK Security Labs we talk about the Hand Rule a lot. Also known as the Calculus of Negligence, it is a way that an organization can mathematically estimate what a “reasonable” investment […]
While preparing for a keynote talk at CAMP IT that is rapidly coming up I was struggling to find the main point of my talk. I had been puzzling for several weeks, asking myself what single message I wanted to leave my audience with. I’ve been speaking for some time now about information security and […]
I hear this question very often. It is similar to the question, “Is email HIPAA compliant?” or “Are texts HIPAA compliant?” And while my gut often kicks in and I want to easily say, “No!” that is often a bad answer. Here is why. We don’t know whether something is compliant or not if we […]
Perfect security is not possible, feasible nor required by law. In fact, information security laws and regulations require that we provide “reasonable and appropriate” security through a well-defined risk management process. Without a risk-based approach, organizations attempt to address information security requirements by either attempting to comply with a long list of security controls, or […]
The PCI Security Standards Council has released a new Information supplement for PCI DSS Risk Assessment Guidelines. Organizations planning and performing a risk assessment in accordance with PCI DSS 12.1.2 can use the information supplement to help identify threats and the associated vulnerabilities that could jeopardize the security of payment card data.
As stated in a previous post, effective Data Loss Prevention (DLP) will be an important component of an overall Risk Management Framework. The Risk Management framework should include the following: